In this age of widespread access to electronic information and increased risk of identity theft, employers more than ever need to be aware of the potential sources for liability when employee data is mishandled. The First District of the Illinois Appellate court recently issued a decision addressing an unauthorized disclosure of sensitive, personal information concerning former employees. While the court reached a surprising result in affirming dismissal of the entire case, employers still must proceed with caution and can gain useful insights from the recent decision.
The Cooney Decision
In Cooney v. Chicago Public Schools, 2010 WL 5487520 (Ill. App. 1st Dist., Dec. 30, 2010), a class of 1,750 former employees of the Chicago Public Schools (“CPS”) sued CPS and the Board of Education of the City of Chicago (the “Board”) after the Board sent its “COBRA Open Enrollment list” to all 1,750 individuals. The list included information about all 1,750 former employees – their names, addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. The day after the Board learned of the unauthorized disclosure, it sent a letter to all the former employees asking them to return the COBRA list or destroy it. The Board also offered the former employees free credit protection insurance for one year. The former employees’ complaint alleged several claims, including negligence, negligent infliction of emotional distress, breach of fiduciary duty and violations of the Personal Information Protection Act (“PIPA”), the Consumer Fraud and Deceptive Business Practices Act (“Consumer Fraud Act”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the Illinois common law right to privacy. The trial court dismissed all claims with prejudice and plaintiffs appealed. The appellate court affirmed.
The appellate court rejected plaintiffs’ negligence and breach of fiduciary duty claims based on its finding that the Board had no duty to safeguard plaintiffs’ personal information – a required element of both claims. Plaintiffs argued that HIPAA and PIPA created such a duty. Additionally, plaintiffs argued, because the Board’s disclosure violated both HIPAA’s proscription against disclosing any “individually identifiable health information” and PIPA’s provision concerning security breaches of computerized personal data, such violations were evidence of negligence. The appellate court disagreed. The court explained that there was no HIPAA violation because the information disclosed fell within the HIPAA exception for “employment records held by a covered entity in its role as employer.” That is, because the Board held plaintiffs’ health insurance elections in its role as an employer, its disclosure of such information “f[ell]outside HIPAA’s coverage.” While the court agreed that the Board’s disclosure violated PIPA, it concluded no statutory duty was breached because the sole remedy provided for by PIPA is notice of the breach – which the Board timely provided. Having disposed of any legal duty to safeguard plaintiffs’ personal information based on statute, the appellate court also declined plaintiffs’ invitation to create a “new common law duty” to safeguard employee s” personal information. The appellate court reasoned that doing so is the role of the Illinois legislature, not the appellate courts.
The appellate court also readily dismissed the statutory claims. No violation of HIPAA occurred because, in addition to the exception for “employment records,” plaintiffs could not pursue such a claim because there is no private right of action under HIPAA. Again, no PIPA violation occurred because the Board timely notified plaintiffs of the disclosure, which is all PIPA requires. No violation of the Consumer Fraud Act occurred because plaintiffs alleged as damages only a potential harm (“increased risk of future identity theft”) and the purchase of credit monitoring services. Neither was sufficient to constitute actual economic damage, as required for a claim under the statute.
As for the invasion of privacy claims, the appellate court dismissed those because the Board’s disclosure did not involve any “private” facts. The court distinguished personal information of the sort disclosed by the Board – names, addresses and social security numbers – from “private” facts which the court described as “facially embarrassing and highly offensive if disclosed.” Because none of the personal data at issue consisted of any such embarrassing or offensive facts, the invasion-of-privacy claims failed.
Implications for Employers
The Cooney decision reaches a surprising result in dismissing the former employees’ entire case against CPS and the Board. It remains to be seen how this decision will be interpreted and employers should be cautious in relying on this case. As an initial matter, the finding that the Board had no legal duty to protect its former employees’ personal data may be limited to the facts of this case which involved a government employer. A court could always choose not to follow Cooney for cases involving private employers or cases distinguishable in other ways (like where the employer discloses further information or fails to immediately notify the employees of an unauthorized disclosure, or where the employee suffers actual economic damage).
Additionally, the Cooney decision may be appealed and overturned. As the dissenting judge explained, the majority’s analysis is arguably flawed in applying the HIPAA exception for “employment records held by a[n] … employer.” While the exception clearly applies to records held and maintained by an employer, it arguably does not apply when those records are disclosed (as they were in this case). If the majority’s conclusion, that no legal duty exists because the HIPAA exception applies, were overturned – a different result likely would ensue. Specifically, plaintiffs’ negligence and breach of fiduciary duty claims probably would proceed if a legal duty were found to have been created by HIPAA. Additionally, because CPS’ disclosure included “individually identifiable health information,” there would be evidence of negligence due to the HIPAA violation.
One significant aspect of the Cooney decision rests on particularly firm ground—the court’s finding that the disclosure was not a tortious invasion of privacy. The court in Cooney found no such claim possible because the disclosed facts were only personal, not “private.” This finding is supported by prior Illinois precedents suggesting that social security numbers are not sufficiently “private” facts for purposes of a an invasion of privacy claim. The U.S. Supreme Court also recently held in NASA v. Nelson, 2011 WL 148254 (Jan. 19, 2011), that the government’s use of employment background check forms that had open-ended inquiries and sought (among other things) drug and alcohol use information did not violate any federal constitutional right to informational privacy. In Nelson, the Court pointed out that employment background checks are a reasonable, commonplace tool to assist employers in managing their operations and workforce. While Nelson uses an analysis not applicable to the private sector, it provides general support for the notion that collecting certain kinds of personal employee information does not implicate privacy concerns. Where, however, the information at issue goes beyond an employee’s basic personal information and includes any “embarrassing” or “offensive” facts, a privacy claim may stand.